Skip to content

chore(deps): Bump @sveltejs/kit devDependency to 2.49.5 #18848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Lms24 merged 3 commits into from
Jan 16, 2026
Merged

chore(deps): Bump @sveltejs/kit devDependency to 2.49.5 #18848

Lms24 merged 3 commits into from
Jan 16, 2026
+63 −23

Conversation

@Lms24
Copy link
Member

@Lms24 Lms24 commented Jan 16, 2026
edited
Loading

Bumps our dev dependency sveltekit version to the latest version in light of GHSA-j2f3-wq62-6q46.

To be clear, this package is only used a dev dependency, so it wasn't shipped in our SvelteKit SDK NPM package.

More details: https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem

Update: After deduping the lock file, this also now fixes the same affected dep being used in a @sentry/nuxt dev dependency because nuxt specified devalue@^5.0.0. (Nuxt folks are also bumping the dependency officially shortly, thouth I assume this will only affect Nuxt@4 🤔, nuxt/nuxt#34089)

Closes #18849 (added automatically)

@github-actions github-actions bot mentioned this pull request Jan 16, 2026
Closed
Lms24
Lms24 commented Jan 16, 2026
View reviewed changes
yarn.lock
integrity sha512-UDsjUbpQn9kvm68slnrs+mfxwFkIflOhkanmyabZ8zOYk8SMEIbJ3TK+88g70hSIeytu4y18f0z/hYHMTrXIWw==

devalue@^5.6.2:
version "5.6.2"
Copy link
Member Author

@Lms24 Lms24 Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

devalue was also affected by 2 other CVEs but the latest kit version already bumps to the fixed version

@Lms24 Lms24 requested review from nicohrubec and s1gr1d January 16, 2026 09:11
@github-actions
Copy link
Contributor

github-actions bot commented Jan 16, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 8,949 - 9,517 -6%
GET With Sentry 1,769 20% 1,769 -
GET With Sentry (error only) 6,052 68% 6,054 -0%
POST Baseline 1,186 - 1,195 -1%
POST With Sentry 600 51% 579 +4%
POST With Sentry (error only) 1,033 87% 1,068 -3%
MYSQL Baseline 3,311 - 3,359 -1%
MYSQL With Sentry 474 14% 450 +5%
MYSQL With Sentry (error only) 2,706 82% 2,718 -0%

View base workflow run

This was referenced Jan 16, 2026
Closed
Closed
Closed
@Lms24 Lms24 merged commit 70a309f into develop Jan 16, 2026
407 of 409 checks passed
@Lms24 Lms24 deleted the lms/chore-deps-svekte-peerdep branch January 16, 2026 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicohrubec nicohrubec nicohrubec approved these changes

@s1gr1d s1gr1d s1gr1d approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore(deps): Bump @sveltejs/kit devDependency to 2.49.5

4 participants

@Lms24 @nicohrubec @s1gr1d